1

Let's say I have two Apache servers (one per vhost) behind an nginx server.

The problem is that I'd like Apache to do the authentication of client certificates.

Would it be possible for nginx to do the SNI part of SSL (so it knows to which Apache instance to forward to), and forward the rest to Apache?

Vladimir Panteleev
  • 1,737
  • 5
  • 20
  • 34

1 Answers1

1

I don't believe so, since the SSL client as far as Apache's concerned is the nginx server. The nginx proxy can't have the client's private key, so it can't act as the client for authentication purposes when communicating with the Apache servers.

The device communicating with the client needs to be the one dealing with any client authentication - so this probably isn't feasible.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • SNI happens before certificate auth, so it's possible in theory. – Vladimir Panteleev Feb 12 '12 at 04:29
  • Sure, it's possible - just not with nginx, because nginx would be the SSL endpoint that the client's talking to, not Apache. But yes, it's definitely possible when the proxy isn't in on the SSL. The implementation of SNI is very simple, a simple TCP proxy could just read the extension field in the client hello packet and make a decision from there on where to proxy the client to. It looks like HAProxy might actually have this in the works - if you're feeling adventurous, maybe see [if this does what you need](http://haproxy.1wt.eu/download/1.5/src/snapshot/CHANGELOG-1.5-dev7-20120124)? – Shane Madden Feb 12 '12 at 05:03